NOJIRA: Pac4J libs update

Fixes for login with no valid role causing error loop and filter chain checks for static assets
TIER · Feb 2, 2024 · 768d2d1 · 768d2d1
1 parent e9cd237
commit 768d2d1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/.../main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/.../main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java
@@ -157,7 +157,12 @@ public InMemoryUserDetailsManager userDetailsManager() {
     @Bean
     @Profile("!no-auth")
     public WebSecurityCustomizer webSecurityCustomizer() {
-        return (web) -> web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
+        return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
+                        new AntPathRequestMatcher("/entities/**/*"),
+                        new AntPathRequestMatcher("/favicon.ico"),
+                        new AntPathRequestMatcher("/assets/**/*.png"),
+                        new AntPathRequestMatcher("/static/**/*"),
+                        new AntPathRequestMatcher("/**/*.css")).and().httpFirewall(allowUrlEncodedSlashHttpFirewall());
     }
 
     private HttpFirewall allowUrlEncodedSlashHttpFirewall() {

diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java
@@ -125,6 +125,11 @@ public WebSecurityCustomizer webSecurityCustomizer() {
         firewall.setAllowUrlEncodedDoubleSlash(true);
         firewall.setAllowSemicolon(true);
 
-        return (web) -> web.httpFirewall(firewall);
+        return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
+                                                       new AntPathRequestMatcher("/entities/**/*"),
+                                                       new AntPathRequestMatcher("/favicon.ico"),
+                                                       new AntPathRequestMatcher("/assets/**/*.png"),
+                                                       new AntPathRequestMatcher("/static/**/*"),
+                                                       new AntPathRequestMatcher("/**/*.css")).and().httpFirewall(firewall);
     }
 }
diff --git a/...-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java b/...-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java
@@ -27,6 +27,9 @@ public Optional<Credentials> validate(CallContext ctx, Credentials credentials)
         Optional<Credentials> validatedCreds = super.validate(ctx, credentials);
         validatedCreds.ifPresent(creds -> {
             CommonProfile profile = (CommonProfile) creds.getUserProfile();
+            if (profile == null) {
+                return;
+            }
             profile.setRoles(userService.getUserRoles(profile.getUsername()));
             creds.setUserProfile(profile);
             userService.updateLoginRecord(profile.getUsername());